LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{%s}t" newcombined
|
The access log of Apache like
10.2.5.24 - - [12/Jan/2016:09:11:38 +0800] "GET /concrete5/ HTTP/1.1" 200 19098 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36" 1452561098
|
Apache document of mod_log_config
conf of logstash
If Apache access log is collected by logstash ,the ruby plugins in filter could also do it.
input { file { path => "/tmp/apache.log" start_position => beginning } } filter { grok { #Apache access log in default format match => { "message" => "%{COMBINEDAPACHELOG}"} } grok { match => ["message", "%{HTTPDATE:logdate}"] } date { #use the time in access log as timestamp match => ["logdate", "dd/MMM/yyyy:HH:mm:ss Z"] } ruby{ #change logdate to UNIX timestamp format code => "event['logdate']=event.sprintf('%{+%s}')" } geoip { #used in elasticsearch to analysis source => "clientip" } } output { stdout {codec => rubydebug} }
|
strftime(3)
man-pages
%s The number of seconds since the Epoch, 1970-01-01 00:00:00
+0000 (UTC). (TZ)